Viewing the Exchange 2010 Anti-Spam Logs

In most cases, you should have anti-spam filtering for Exchange 2010 that is provided by software other than Exchange 2010. Exchange 2010 has some basic anti-spam filtering features but they are not as nice or easy to work with as online filtering services (such as ForeFront Online for Exchange) or on-premises services (such as Barracuda devices or Symantec Mail security).

Note: SBS2011 enables the built-in anti-spam filtering capabilities of Exchange 2010 by default.

If you select to use the spam filtering in Exchange 2010 (or do so by accident) it's pretty awkward to view the logs. The only interface provided by Exchange 2010 is the Get-Agent log cmdlet. This cmdlet only gives parameters to display by start date and end date. You'll need to filter down the output of Get-AgentLog to see only what you want.

To make life easier for you, here are the list of properties supplied for each message that you can filter based-on:

• RunspaceId - Not useful
• Timestamp - But you'd use the start and end date with Get-AgentLog to filter this instead
• SessionId - Not useful
• IPAddress - The mail server sending the message
• MessageId - Generally not useful unless the sender provides this information to help you search for it
• P1FromAddress
• P2FromAddresses
• Recipients
• Agent - Indicates which anti-spam filter caught the spam
• Event - When the filtering was applied (OnEndOfData is typical)
• Action - Look for RejectMessage when identifying spam that is filtered
• SmtpResponse - The SMTP code that was provided to the sender (5.7.1 is a spam rejection)
• Reason - Provides a summarized reason as to why the message was blocked
• ReasonData - When blocked because of a high SCL, this displays the SCL value
• Diagnostics - Codes that don't look useful to me

An example of filtering for rejected messages for a specific user:

Get-AgentLog -StartDate "06/11/2013 9:00:00 AM" | Where-Object {($_.Recipients -like "*username*") -and ($_.Action -eq "RejectMessage")}

The above example uses Get-AgentLog to list all messages in the log after 9am on June 11, 2013. The list of messages is piped to Where-Object for filtering.

The filter looks for recipients that contain the test username. You could use -eq and search for a specific full email address, but I find it easier to just search for the user portion of the email address. The list of recipients is an array and -eq may force you to put in all email addresses to match properly.

The filter also looks for messages that have an action of RejectMessage. I am only interested in viewing the rejected messages to verify is a sender is being blocked.